How to reduce your SMS costs with passkeys

After Twitter's announcement to discontinue SMS-based two-factor authentication (2FA) for non-Twitter Blue users starting 20 March 2023 as a response to fraudsters' abuse of SMS-based 2FA, questions arise concerning other potential drawbacks of SMS-based authentication. Despite its broad adoption by companies in general (single-factor and two-factor) to provide better account protection for their users, this authentication method often comes with more drawbacks beyond security issues. In this article, we’ll explore these drawbacks, including fraud and challenges with costs, reliability, and user experience. To address them, passkeys can be used as the new passwordless standard authentication method that is superior in many aspects compared to SMS-based authentication methods and is being adopted by more and more large enterprises. In light of the potential replacement application of passkeys, we at Corbado offer a plug-and-play passkey solution to make the Internet a safe place and save your business huge SMS-related expenses right away.

1. A glimpse into SMS-based authentication

Before we explore the drawbacks of SMS-based authentication, it's essential to understand its fundamental concept. SMS-based authentication comprises two primary types: single-factor and two-factor authentication. The former includes methods like one-time passcodes (OTP) sent via SMS, providing a password-free login alternative to traditional passwords. On the other hand, 2FA with SMS employs a two-step process. Users first sign up/log in with their username/email and password and then confirm their sign up/log in through a one-time passcode sent to their mobile phones via SMS.

2. Drawbacks of SMS-based authentication

Let’s dive deeper into the drawbacks of SMS-based authentication by shedding light on different forms of fraud associated with this login method and uncover challenges with reliability, user experience, and the financial costs incurred in implementing, operating, and maintaining this authentication technology.

2.1 Fraud

• SMS traffic pumping: In SMS-based authentication, when a user requests an authentication code or a link via SMS, the service provider sends the code or link to the user's mobile phone number through an SMS message. SMS traffic pumping takes advantage of this process by sending a massive volume of unwanted and often fraudulent SMS messages to a specific phone number. The fraudsters of SMS traffic pumping schemes exploit the revenue-sharing agreements between mobile network operators (MNO) and messaging service providers. They aim to inflate the SMS traffic and generate higher revenues for themselves, as the messaging service providers pay the MNOs a fee for delivering each message. As pointed out by a current Stytch employee on Hacker News, the MNOs collaborate with the hacker by sharing revenues here. While specific preventive measures such as disabling phone numbers from receiving SMS (geo permissions), implementing rate limits, and detecting bots can help mitigate SMS traffic pumping, complete elimination of misuse is nearly impossible due to the design of the sending process. As a result, businesses and service providers often face significant expenses from the surge in incoming messages. Commsrisk says Twitter alone lost an incredible 60 million USD yearly due to SMS traffic pumping. Also, legitimate users may experience delays in receiving their authentication codes or links.
  ‍
• SIM swapping: In this type of fraud, fraudsters exploit vulnerabilities in the MNO infrastructure to transfer a victim's mobile phone number to a new SIM card. By doing so, the attackers gain control over the victim's phone number, allowing them to intercept incoming SMS messages, including authentication codes or links. Once they gain control of a user's phone number, they can bypass the authentication process and get unauthorized access to their accounts on various platforms. SIM swapping is challenging to detect. Attackers often use social engineering to deceive MNO customer support, enabling them to transfer the victim's number to a new SIM card. Since companies with concerned users often remain unaware, SIM swap attacks usually result in data breaches, financial losses, and damage to the company's reputation.

2.2 Costs

• Implementation: For SMS-based authentication, there are two options for implementation. You can either build and maintain an in-house system or use an external authentication solution. While a mix-and-match approach is possible, one option is recommended for simplicity. According to a Messente survey, in-house building an SMS-only 2FA solution can easily cost five figures. That's why going for an external solution, which is usually cheaper, is often a better idea.
  ‍
• Operations: As sending SMS-based authentication messages to users is very complex, almost every company goes with an experienced provider. Their service incurs transaction costs that vary based on the chosen provider. These costs depend on factors like the number of SMS sent, the target countries to which the SMS is sent, and additional features. Some providers may charge an extra fee for successful authentication via SMS, although this is often included in the overall price. According to miniOrange, transaction prices usually range from 0.01 to 0.20 USD per SMS, with high-quality SMS services directly linked to major providers starting at around 0.06 USD. Since users of digital products are often located in different countries, purchasing various SMS plans will increase expenses. According to our information, this shows how quickly the costs of sending authentication messages alone can skyrocket and why SMS-based authentication costs a leading e-commerce 12 million USD per year. Obviously, you can offer SMS-based authentication for key target countries only and thereby save money, but that is just a drop in the ocean and would also negatively impact the user experience for some users.
  ‍
• Maintenance: The majority of maintenance costs are typically covered within the transaction prices. These include expenses related to enabling providers to manage large SMS volumes, facilitate international SMS delivery to various MNOs, implement essential security measures, and ensure compliance with regulations. However, additional expenses may arise for the company, such as handling vendor relationships with the SMS provider, providing user support, and allocating resources to address downtime and technical issues.

2.3 Reliability

In the context of SMS-based authentication, this refers to the consistent and timely delivery of the SMS and the uninterrupted accessibility of the authentication system by the sent authentication code. Depending on the local infrastructure, message delivery delays, network congestion, and potential system downtimes can impede the prompt reception of authentication codes. This can cause user frustration and hinders the authentication process.‍

2.4 User experience

One key aspect to consider is the varying user-friendliness across different platforms. SMS-based authentication works excellently on mobile devices due to the autofill function that makes authentication code entry easy. Conversely, on desktops, you must use an additional device, your mobile phone, to input the authentication code manually, resulting in a less intuitive and convenient experience. As previously mentioned, user experience also suffers when fraud attacks occur, or issues arise in SMS delivery and authentication code retrieval.

3. Passkeys as a replacement for SMS-based authentication

So far, passkeys have mainly been perceived as the passwordless alternative for passwords only.

Moreover, since passkeys provide a built-in 2FA functionality, they serve as an alternative to passwords and any type of SMS-based authentication. This enhances security and avoids the user experience challenges posed by SMS-based one-time passcodes. By replacing authentication messages, passkeys bring substantial benefits that effectively eliminate the drawbacks of SMS-based authentication.

3.1 Benefits

• Fully phishing resistant and robust security: Unlike SMS-based authentication, which can be susceptible to interception and manipulation, passkeys offer robust protection against all forms of fraudulent attacks due to the use of public infrastructure. This ensures that even if a server breach occurs, user accounts remain safeguarded as the essential private key remains secure within the user's device, embedded within the operating system. Additionally, passkeys' linkage to the specific registered online service is a countermeasure against phishing attempts, making passkeys the most secure authentication method currently available.
  ‍
• Avoid high (transaction) costs: Similar to SMS-based authentication, there are costs associated with implementing passkeys. While handling the implementation in-house as possible, focusing on secure authentication often leads to a preference for specialists. Their expertise comes at a fraction of your costs and aligns with what SMS-based authentication provider charge for implementation. From a cost standpoint, the significant advantage of investing in passkeys is eliminating the need to send SMS for login and sign-up. Instead, users can securely log in using Face ID or Touch ID. This not only results in potential savings of millions of costs for authentication annually (especially for larger consumer-oriented businesses) but also eradicates all the challenges that can arise when sending and receiving SMS.
  
  For verifying users' phone numbers, often required for marketing or other communication purposes, sending an initial SMS with a one-time passcode remains an option. This allows SMS to run alongside passkeys. Additionally, SMS can serve as a fallback method. The key distinction between both scenarios and traditional SMS-based authentication is that SMS are sent only occasionally rather than being sent with every login attempt.
  ‍
• ‍Convenient authentication and enhanced user experience: The adoption of biometrics (e.g., Face ID, Touch ID, Windows Hello) for unlocking phones and desktop devices has rapidly become commonplace among users. Passkeys now extend this familiar experience to account unlocking. Given that most mobile phones and desktop devices are already passkey-ready, they offer a one-to-one replacement for SMS-based authentication. With local fingerprint or facial scans from the device, the requirement for a secondary device, as still needed for laptop-based SMS authentication, is eliminated. This substantial enhancement simplifies user experience and renders account login effortless. Another unique feature of passkeys is Conditional UI. This feature enhances user convenience by automatically suggesting and prefilling stored passkeys when users interact with the username input field. This eliminates the need for manual searching of credentials, including usernames, as these are already securely stored within the device or browser and are automatically pre-filled.

4. Conclusion

To sum it up, passkeys offer a practical solution to tackle the drawbacks of SMS-based authentication. They provide robust security, cost-effectiveness, and high user experience, making them an intelligent replacement. With biometric technology and user-friendly features like Conditional UI, passkeys make security seamless and user experience smooth across platforms. For companies looking to step up their authentication game, Corbado's passkey solution is a simple way to enhance security, cut costs, and leave the challenges of SMS-based authentication behind. Contact us for a tailor-made passkey authentication solution for your SMS OTP/2FA setup.